From ce8f25b94ac834c1d8cde425e5e628923ce070ce Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 7 Nov 2024 11:01:18 +0100 Subject: [PATCH] Switch from using tags to variables Signed-off-by: Radovan Sroka --- README.md | 67 +++++++++++++++++------- defaults/main.yml | 15 ++++++ examples/{simple.yml => default.yml} | 11 ++-- examples/deploy.yml | 15 ++++++ examples/just_check.yml | 15 ++++++ examples/just_update.yml | 15 ++++++ tasks/main.yml | 30 ++++------- tests/tasks/check_not_present_header.yml | 16 ++++++ tests/tests_default.yml | 2 +- tests/tests_deploy.yml | 17 ++++++ vars/AlmaLinux_10.yml | 1 - vars/AlmaLinux_8.yml | 1 - vars/AlmaLinux_9.yml | 1 - vars/CentOS_10.yml | 1 - vars/CentOS_7.yml | 1 - vars/CentOS_8.yml | 1 - vars/CentOS_9.yml | 1 - vars/Fedora.yml | 7 --- vars/RedHat_10.yml | 7 --- vars/RedHat_7.yml | 7 --- vars/RedHat_8.yml | 7 --- vars/RedHat_9.yml | 7 --- vars/Rocky_10.yml | 1 - vars/Rocky_8.yml | 1 - vars/Rocky_9.yml | 1 - vars/main.yml | 1 + 26 files changed, 157 insertions(+), 92 deletions(-) rename examples/{simple.yml => default.yml} (63%) create mode 100644 examples/deploy.yml create mode 100644 examples/just_check.yml create mode 100644 examples/just_update.yml create mode 100644 tests/tasks/check_not_present_header.yml create mode 100644 tests/tests_deploy.yml delete mode 120000 vars/AlmaLinux_10.yml delete mode 120000 vars/AlmaLinux_8.yml delete mode 120000 vars/AlmaLinux_9.yml delete mode 120000 vars/CentOS_10.yml delete mode 120000 vars/CentOS_7.yml delete mode 120000 vars/CentOS_8.yml delete mode 120000 vars/CentOS_9.yml delete mode 100644 vars/Fedora.yml delete mode 100644 vars/RedHat_10.yml delete mode 100644 vars/RedHat_7.yml delete mode 100644 vars/RedHat_8.yml delete mode 100644 vars/RedHat_9.yml delete mode 120000 vars/Rocky_10.yml delete mode 120000 vars/Rocky_8.yml delete mode 120000 vars/Rocky_9.yml diff --git a/README.md b/README.md index 183ad85..40a06d0 100644 --- a/README.md +++ b/README.md @@ -18,18 +18,12 @@ extreme caution as it might break your system. ## How does the role do that? -* The role is controlled by using [Ansible Tags](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_tags.html) -* If you run the playbook without specifying any tag the role will change nothing on your remote nodes -* To execute some supported use cases you need to explicitly specify one or more of the following tags +* The role is controlled by using role variables +* If you run the playbook without specifying any role variable the role will change nothing on your remote nodes +* To execute some supported use cases you need to explicitly specify one or more of the following variables ### Available tags to control and use the role -* __install__ - With this tag the role ensures that the `aide` package is installed on the remote nodes -* __generate_config__ - Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this tag the default configuration file shipped with the `aide` package will be used -* __init__ - Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node -* __check__ - Runs an integrity check on the remote nodes -* __update__ - Updates the AIDE database and stores it on the controller node - ## What does this role not do for you? * It does not explain how to create a good AIDE configuration that suits your requirements; that task remains for you to accomplish @@ -51,11 +45,45 @@ same directory as the playbook. In case you like to store the fetched AIDE database files somewhere else you need to specify a different path here. -Example of setting the variables: +### aide_install -```yaml -aide_db_fetch_dir: files -``` +With this variable the role ensures that the `aide` package is installed on the remote nodes + +Default: `false` + +Type: `bool` + +### aide_generate_config + +Generates the file `/etc/aide.conf` using `templates/aide.conf.j2`; the template needs to be adjusted to fit your requirements; if you do not use this varable the default configuration file shipped with the `aide` package will be used. + +Default: `false` + +Type: `bool` + +### aide_init + +Initializes the AIDE database and fetches it from the remote nodes to store it on the controller node + +Default: `false` + +Type: `bool` + +### aide_check + +Runs an integrity check on the remote nodes + +Default: `false` + +Type: `bool` + +### aide_update + +Updates the AIDE database and stores it on the controller node + +Default: `false` + +Type: `bool` ## Example Playbook @@ -69,16 +97,15 @@ passed in as parameters) is always nice for users too: hosts: targets tasks: - name: Include role aide - tags: - - install - - generate_config - - init - - check - - update vars: aide_db_fetch_dir: files + aide_install: true + aide_generate_config: true + aide_init: true + aide_check: false + aide_update: false ansible.builtin.include_role: - name: aide + name: linux-system-roles.aide ``` More examples can be found in the [`examples/`](examples) directory. diff --git a/defaults/main.yml b/defaults/main.yml index 40217d4..cd74b8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,3 +5,18 @@ # Examples of role input variables: aide_db_fetch_dir: files + +# Enable install phase +aide_install: false + +# Enable config file generation phase +aide_generate_config: false + +# Enable initialization of the database phase +aide_init: false + +# Enable check database phase +aide_check: false + +# Enable database update phase +aide_update: false diff --git a/examples/simple.yml b/examples/default.yml similarity index 63% rename from examples/simple.yml rename to examples/default.yml index 044fc5d..bcdd356 100644 --- a/examples/simple.yml +++ b/examples/default.yml @@ -4,13 +4,12 @@ hosts: targets tasks: - name: Include role aide - tags: - - install - - generate_config - - init - - check - - update vars: aide_db_fetch_dir: files + aide_install: true + aide_generate_config: true + aide_init: true + aide_check: false + aide_update: false ansible.builtin.include_role: name: linux-system-roles.aide diff --git a/examples/deploy.yml b/examples/deploy.yml new file mode 100644 index 0000000..bcdd356 --- /dev/null +++ b/examples/deploy.yml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_db_fetch_dir: files + aide_install: true + aide_generate_config: true + aide_init: true + aide_check: false + aide_update: false + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/examples/just_check.yml b/examples/just_check.yml new file mode 100644 index 0000000..a270d53 --- /dev/null +++ b/examples/just_check.yml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_db_fetch_dir: files + aide_install: false + aide_generate_config: false + aide_init: false + aide_check: true + aide_update: false + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/examples/just_update.yml b/examples/just_update.yml new file mode 100644 index 0000000..310b67d --- /dev/null +++ b/examples/just_update.yml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +--- +- name: Example aide role invocation + hosts: targets + tasks: + - name: Include role aide + vars: + aide_db_fetch_dir: files + aide_install: false + aide_generate_config: false + aide_init: false + aide_check: false + aide_update: true + ansible.builtin.include_role: + name: linux-system-roles.aide diff --git a/tasks/main.yml b/tasks/main.yml index 89e7dde..2243c0a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,9 +10,8 @@ state: present use: "{{ (__aide_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" - tags: - - never - - install + when: + - aide_install - name: Ensure required services are enabled and started ansible.builtin.service: @@ -20,8 +19,6 @@ state: started enabled: true loop: "{{ __aide_services }}" - tags: - - never - name: Generate "/etc/{{ __aide_config }}" ansible.builtin.template: @@ -29,15 +26,12 @@ dest: "/etc/{{ __aide_config }}" backup: true mode: "0400" - tags: - - never - - generate_config + when: + - aide_generate_config - name: Initialize AIDE database and fetch it - become: true - tags: - - never - - init + when: + - aide_init block: - name: Initialize AIDE database ansible.builtin.command: @@ -55,10 +49,8 @@ state: absent - name: Check AIDE integrity - become: true - tags: - - never - - check + when: + - aide_check block: - name: Copy AIDE reference database to remote ansible.builtin.copy: @@ -76,10 +68,8 @@ changed_when: true - name: Update AIDE database and fetch it - become: true - tags: - - never - - update + when: + - aide_update block: - name: Update AIDE database ansible.builtin.command: diff --git a/tests/tasks/check_not_present_header.yml b/tests/tasks/check_not_present_header.yml new file mode 100644 index 0000000..3362e18 --- /dev/null +++ b/tests/tasks/check_not_present_header.yml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT +--- +- name: Get file + slurp: + path: "{{ __file }}" + register: __content + when: not __file_content is defined + +- name: Check for presence of ansible managed header, fingerprint + assert: + that: + - ansible_managed not in content + - __fingerprint not in content + vars: + content: "{{ (__file_content | d(__content)).content | b64decode }}" + ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}" diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 081b7cb..af98ed0 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -7,7 +7,7 @@ - linux-system-roles.aide tasks: - name: Check header for ansible_managed, fingerprint - include_tasks: tasks/check_header.yml + include_tasks: tasks/check_not_present_header.yml vars: __file: /etc/aide.conf __fingerprint: system_role:aide diff --git a/tests/tests_deploy.yml b/tests/tests_deploy.yml new file mode 100644 index 0000000..2c09e27 --- /dev/null +++ b/tests/tests_deploy.yml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: MIT +--- +- name: Ensure that the role runs with default parameters + hosts: all + gather_facts: false # test that role works in this case + roles: + - role: linux-system-roles.aide + vars: + aide_install: true + aide_generate_config: true + aide_init: true + tasks: + - name: Check header for ansible_managed, fingerprint + include_tasks: tasks/check_header.yml + vars: + __file: /etc/aide.conf + __fingerprint: system_role:aide diff --git a/vars/AlmaLinux_10.yml b/vars/AlmaLinux_10.yml deleted file mode 120000 index f830d5f..0000000 --- a/vars/AlmaLinux_10.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_10.yml \ No newline at end of file diff --git a/vars/AlmaLinux_8.yml b/vars/AlmaLinux_8.yml deleted file mode 120000 index ad7713d..0000000 --- a/vars/AlmaLinux_8.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_8.yml \ No newline at end of file diff --git a/vars/AlmaLinux_9.yml b/vars/AlmaLinux_9.yml deleted file mode 120000 index 0eb3795..0000000 --- a/vars/AlmaLinux_9.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_9.yml \ No newline at end of file diff --git a/vars/CentOS_10.yml b/vars/CentOS_10.yml deleted file mode 120000 index f830d5f..0000000 --- a/vars/CentOS_10.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_10.yml \ No newline at end of file diff --git a/vars/CentOS_7.yml b/vars/CentOS_7.yml deleted file mode 120000 index 105e630..0000000 --- a/vars/CentOS_7.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_7.yml \ No newline at end of file diff --git a/vars/CentOS_8.yml b/vars/CentOS_8.yml deleted file mode 120000 index ad7713d..0000000 --- a/vars/CentOS_8.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_8.yml \ No newline at end of file diff --git a/vars/CentOS_9.yml b/vars/CentOS_9.yml deleted file mode 120000 index 0eb3795..0000000 --- a/vars/CentOS_9.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_9.yml \ No newline at end of file diff --git a/vars/Fedora.yml b/vars/Fedora.yml deleted file mode 100644 index c40e953..0000000 --- a/vars/Fedora.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Fedora specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_10.yml b/vars/RedHat_10.yml deleted file mode 100644 index 1b63f8a..0000000 --- a/vars/RedHat_10.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 10 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml deleted file mode 100644 index 89e8e92..0000000 --- a/vars/RedHat_7.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 7 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml deleted file mode 100644 index 4a11f9c..0000000 --- a/vars/RedHat_8.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 8 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml deleted file mode 100644 index dadc3a1..0000000 --- a/vars/RedHat_9.yml +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: MIT ---- -# Put internal variables here with Red Hat Enterprise Linux 9 specific values. - -# Example: -__aide_packages: [] -__aide_services: [] diff --git a/vars/Rocky_10.yml b/vars/Rocky_10.yml deleted file mode 120000 index f830d5f..0000000 --- a/vars/Rocky_10.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_10.yml \ No newline at end of file diff --git a/vars/Rocky_8.yml b/vars/Rocky_8.yml deleted file mode 120000 index ad7713d..0000000 --- a/vars/Rocky_8.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_8.yml \ No newline at end of file diff --git a/vars/Rocky_9.yml b/vars/Rocky_9.yml deleted file mode 120000 index 0eb3795..0000000 --- a/vars/Rocky_9.yml +++ /dev/null @@ -1 +0,0 @@ -RedHat_9.yml \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 4434101..13c2628 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,7 @@ # Examples of non-distribution specific (generic) internal variables: __aide_config: aide.conf __aide_packages: ['aide'] +__aide_services: [] __aide_db_name: /var/lib/aide/aide.db.gz __aide_db_new_name: /var/lib/aide/aide.db.new.gz # ansible_facts required by the role